I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint> directive without success. Any ideas?
Asked
Active
Viewed 1.4k times
6
kenorb
- 155,785
- 88
- 678
- 743
Ricardo Marimon
- 10,339
- 9
- 52
- 59
3 Answers
12
Besides the auth-constraint you are adding to the security-constraint:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
you need specify the security role in the web-app:
<security-role>
<role-name>*</role-name>
</security-role>
Eliecer Leiton
- 141
- 1
- 6
-
I'm going to try this and report back. – Ricardo Marimon May 13 '10 at 01:45
-
Adding the security-role tag was the solution for us. Thanks. – André Jun 22 '10 at 10:09
-
Any way to actually add the constraint outside of the web.xml? E.g. add a constraint for all web apps in addition to the Realm/Valve in context.xml? – cschooley Aug 14 '13 at 20:58
-
Answer to above is $CATALINA_BASE/conf/web.xml. See http://stackoverflow.com/questions/18242619/define-a-security-constraint-outside-of-web-xml-e-g-server-wide/18242837#18242837 – cschooley Aug 14 '13 at 21:45
1
There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
The realm configuration is under the context, host or engine configurations, like this:
<Realm className="org.apache.catalina.realm.MemoryRealm"
pathname="conf/tomcat-users.xml" />
Then, in the web.xml you put the following definition:
<security-constraint>
<web-resource-collection>
<web-resource-name>MRC Customer Care</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>YOUR REALM NAME</realm-name>
</login-config>
<security-role>
<description>
The role that is required to access the application.
Should be on from the realm (the tomcat-users.xml file).
</description>
<role-name>role1</role-name>
</security-role>
The web.xml part is taken (with slight change) from one of our web apps.
andri
- 11,171
- 2
- 38
- 49
David Rabinowitz
- 29,904
- 14
- 93
- 125
-
In my particular environment I'm connecting to an ldap using the JNDIRealm. The problem is that I can't include groups in the ldap and must authenticate based only on the username and password without any role. I have tried using `
` and ` * ` without success. – Ricardo Marimon Jul 08 '09 at 01:40
0
If we are using Tomcat 8.x , as the provided server.xml will come in a nested Realm element, please add 'allRolesMode="authOnly"' in the "outmost" Realm element and change aforementioned web.xml for testing. e.g.
<Realm allRolesMode="authOnly" className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
</Realm>
Please read org.apache.catalina.realm.RealmBase.java for details.
Also, following settings in logging.properties are useful.
org.apache.catalina.realm.level=ALL
org.apache.catalina.realm.useParentHandlers=true
org.apache.catalina.authenticator.level=ALL
org.apache.catalina.authenticator.useParentHandlers=true
WENPIN
- 7
- 1